Linux VSFTP Practical Tutorial

1、 Describe

l Self-define the ftp upload directory/lock user’s upload directory

l Bounding the ftp server’s IP to the allocation IP Address

l Allocation access permission for the different logon user

l Disable anonymous account logon

l Definition allow/deny access Hosts/IP/Network

2、 Vsftp Installation

2.1 Judgement Vsftp Package if installed

[root@B2B-TOTEAP1 ~]# rpm -qa|grep vsftpd

vsftpd-2.0.5-12.el5 # If shown empty , that’s mean vsftp package not installed , you should manual installation it

[root@B2B-TOTEAP1 ~]#ftp 10.13.24.119 2010

Connected to 10.13.24.119.

220-FileZilla Server version 0.9.31 beta

220-written by Tim Kosse (Tim.Kosse@gmx.de)

220 Please visit http://sourceforge.net/projects/filezilla

502 GSSAPI authentication not implemented

504 Auth type not supported

KERBEROS_V4 rejected as an authentication type

Name (10.13.24.119:root): test

331 Password required for test

Password:

230 Logged on

Remote system type is UNIX.

ftp> lcd /usr/local/src

Local directory now /usr/local/src

ftp> bin

200 Type set to I

ftp> mget vsf*

mget vsftpd-2.0.5-12.el5.x86_64.rpm?

227 Entering Passive Mode (10,13,24,119,18,69)

150 Connection accepted

226 Transfer OK

139052 bytes received in 0.014 seconds (9.6e+03 Kbytes/s)

ftp> bye

[root@B2B-TOTEAP1 ~]#cd /usr/local/src

[root@B2B-TOTEAP1 src]#ls

vsftpd-2.0.5-12.el5.x86_64.rpm

[root@B2B-TOTEAP1 src]#rpm –ivh vsftpd-2.0.5-12.el5.x86_64.rpm

2.2 Find and Judgement Vsftp installation path

[root@B2B-TOTEAP1 ~]# find / -name vsftpd

/usr/share/logwatch/scripts/services/vsftpd

/usr/sbin/vsftpd

/var/lock/subsys/vsftpd

/etc/rc.d/init.d/vsftpd

/etc/vsftpd

/etc/pam.d/vsftpd

2.3 View Vsftp running status

[root@B2B-TOTEAP1 ~]# service vsftpd status

vsftpd (pid 18240) is running...

2.4 Diable anonymous connection

[root@B2B-TOTEAP1 ~]# vi /etc/vsftpd/vsftpd.conf

# Allow anonymous FTP? (Beware - allowed by default if you comment this out).

anonymous_enable=YES ----> NO

2.5 Create user account & change password

[root@B2B-TOTEAP1 ~]#groupadd b2bediftp

[root@B2B-TOTEAP1 ~]# useradd –g b2bediftp –d /data/ftp/Share public

[root@B2B-TOTEAP1 ~]# useradd –g b2bediftp –d /data/ftp/wm test

[root@B2B-TOTEAP1 ~]# chown root:b2bediftp /data/ftp/Share

[root@B2B-TOTEAP1 ~]# chown root:b2bediftp /data/ftp/wm

[root@B2B-TOTEAP1 ~]# chmod –R 755 /data/ftp/Share

[root@B2B-TOTEAP1 ~]# chmod –R 755 /data/ftp/wm

[root@B2B-TOTEAP1 ~]# passwd public

Changing password for user public

New UNIX password:

BAD PASSWORD: it is WAY too short

Retype new UNIX password:

passwd: all authentication tokens updated successfully.

[root@B2B-TOTEAP1 ~]# passwd test

Changing password for user test.

New UNIX password:

BAD PASSWORD: it is WAY too short

Retype new UNIX password:

passwd: all authentication tokens updated successfully.

2.6 Grant permission for virtual user

2.6.1 #vi /etc/vsftpd/vsftpd.conf

Add one new line at the last line:

user_config_dir=/etc/user_config

local_root=/data/ftp/share

>anon_world_readable_only=YES

>write_enable=YES

>anon_upload_enable=YES

2.6.2#mkdir /etc/user_config/

2.6.3#cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd2011.conf

Add new listen port:

pam_service_name=vsftpd2121
userlist_enable=YES
#enable for standalone mode
listen=YES
listen_port=2121
tcp_wrappers=YES

local_root=/data/ftp/wm

anon_world_readable_only=YES

write_enable=YES

anon_upload_enable=YES

2.6.3.1 Example:

a. create test user account and grant the browse、download and upload permission for it.

b.create public user account and grant the browse and download permission for it .

#echo “anon_world_readable_only=YES”>/etc/user_config/public //public user only have read permission .

#cat >> /etc/user_config/test >>EOF

anon_world_readable_only=YES

write_enable=YES

anon_upload_enable=YES //test user have browse 、upload and download permission .

EOF

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

anon_world_readable_only=NO //mean that the user have browse FTP directory and download file permission
　　anon_upload_enable=YES //mean that the user can upload file
　　anon_mkdir_write_enable=YES //mean that the user have create and delete directory permission
　　anon_other_write_enable=YES //mean that the user have rename and delete file permissio

dirlist_enable=YES // mean that allowed all the user list the file list

ftpd_banner= welcome symbol

banner_file=file

dirmessage_enable=yes

message_file=file

local_root=/path //Local user logon server direct enter directory

local_umask=Octal //Local user upload file rights umask value

local_max_rate=number //Local user transfer rate : bps

chmod_enable=YES // If allow local user change the file’s permission

Default create file permission+local_umask=0666

Default create directory permission + local_umask=0777

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

2.6.4 reboot Vsftpd service ：

#killall vsftpd

# /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf &

#service vsftpd status

#chkconfig –list vsftpd

vsftpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off

#chkconfig –level 345 vsftpd on

vsftpd 0:off 1:off 2:off 3:on 4:on 5:on 6:off

vsftpd (pid 27278) is running...

#netstat –an | grep 21

Tcp 0 0 0 0.0.0.0:21 0.0.0.0:* LISTEN

2.7 User permission check

[root@B2B-TOTEAP1 ]#ftp 10.13.13.189

Connected to 10.13.13.189.

220 (vsFTPd 2.0.1)

530 Please login with USER and PASS.

KERBEROS_V4 rejected as an authentication type

Name (10.13.13.189:root): public

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> bin

200 Switching to Binary mode.

ftp> ls

227 Entering Passive Mode (10,13,13.189,146,119)

150 Here comes the directory listing.

-rw-r--r-- 1 502 503 1255858 Apr 17 19:54 02.How to Install Oracle10.2.0.1 on Linux 4.5.pdf

drwxr-xr-x 2 502 503 4096 Apr 17 20:05 1

-rw-r--r-- 1 502 503 89088 Apr 17 19:54 Special Network Requirements Application Form X16.xls

-rw-r--r-- 1 502 503 4360 Apr 17 19:53 chmod命令使用详解.txt

226 Directory send OK.

ftp> mkdir testok

550 Create directory operation failed.

ftp> lcd /

Local directory now /

ftp> mget chmo*

mget chmod命令使用详解.txt?

227 Entering Passive Mode (10,13,7,115,27,180)

150 Opening BINARY mode data connection for c(4360 bytes).

226 File send OK.

4360 bytes received in 3.2e-05 seconds (1.3e+05 Kbytes/s)

ftp> ?

Commands may be abbreviated. Commands are:

! cr mdir proxy send

$ delete mget sendport site

account debug mkdir put size

append dir mls pwd status

ascii disconnect mode quit struct

bell form modtime quote system

binary get mput recv sunique

bye glob newer reget tenex

case hash nmap rstatus trace

ccc help nlist rhelp type

cd idle ntrans rename user

cdup image open reset umask

chmod lcd passive restart verbose

clear ls private rmdir ?

close macdef prompt runique

cprotect mdelete protect safe

ftp> delete ch*

550 Delete operation failed.

ftp>bye!

[root@B2B-TOTEAP1 ~]#cd /

[root@B2B-TOTEAP1 /]#ls

bin etc lost+found ocfs_data sbin tmp

boot home media ocfs_index selinux u01

chmod命令使用详解.txt initrd misc opt srv usr

data1 lib mnt proc sys var

dev lib64 ocfs_ctrl_redo root tftpboot

[root@B2B-TOTEAP1 ]#ftp 10.13.13.189

Connected to 10.13.13.189.

220 (vsFTPd 2.0.1)

530 Please login with USER and PASS.

KERBEROS_V4 rejected as an authentication type

Name (10.13.13.189:root): test

331 Please specify the password

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp>bin

ftp> mkdir testok

257 "/data1/Share/testok" created

ftp> ls

227 Entering Passive Mode (10,13,7,115,32,92)

150 Here comes the directory listing.

-rw-r--r-- 1 502 503 1255858 Apr 17 19:54 02.How to Install Oracle10.2.0.1 on Linux 4.5.pdf

drwxr-xr-x 2 502 503 4096 Apr 17 20:05 1

-rw-r--r-- 1 502 503 89088 Apr 17 19:54 Special Network Requirements Application Form X16.xls

-rw-r--r-- 1 502 503 4360 Apr 17 19:53 chmod命令使用详解.txt

drwxr-xr-x 2 502 503 4096 Apr 17 20:33 testok

226 Directory send OK.

ftp>bye

2.7 VSFTPD LOG Overview

[root@B2B-TOTEAP1 ]#vi /var/log/vsftpd.log or

[root@B2B-TOTEAP1 ]#vi /var/log/xferlog/xferlog1/xferlog2/xferlog3/xferlog4

3. Configure bind IP’s FTP Server (not try)

Current IP:192.168.0.2，New IP:192.168.0.3 ：

#cp /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0:0

#vi /etc/sysconfig/network-scripts/ifcfg-eth0：

DEVICE=”eth0:0″

IPADDR=”192.168.0.3″

:wq!

#ifup eth0:0 //Activate eth0:0

Virtual Adapter configure successful !

FTP Server binding to 192.168.0.2和192.168.0.3。

#vi /etc/xinetd.d/vsftpd，add two lines:

server_args=/etc/vsftp.conf

bind=192.168.0.2

disable=NO。

#cp /etc/xinetd.d/vsftpd /etc/xinetd.d/ftp //copy configure file

/etc/vsftpd.conf is the secondary server’s config fiel : /etc/ftp.conf

#cp /etc/xinetd.d/vsftpd /etc/xinetd.d/ftp

#cp /etc/vsftpd.conf /etc/ftp.conf

#vi /etc/xinetd.d/ftp，edit bind=192.168.0.2 to bind=192.168.0.3，edit server_args=/etc/vsftp.conf to server_args=/etc/ftp.conf

disable=NO。

:wq!

4. FTP Server Resource Restrict

max_clients=100 //Allowed maximum clients connection
　　max_per_ip=5 // Same IP maximum clients connection points
　　local_max_rate=5000000 // Sets local user’s maximum data transfer rate
　　anon_max_rate=2000000 // Anonymous user’s maximum data transfer rate

5. TCP Wrappers

#vi /etc/hosts.allow

Vsftpd:10.13.24.119:allow //allow 10.13.24.119 access vsftp server

Vsftpd:10.13.24.0/255.255.255.0 //allow 10.13.24.0/24 network range hosts access ftp

#vi /etc/hosts.deny

Vsftpd:ALL //deny all the others hosts access ftp

‘only_from = // confine access IP,Host,Network

‘no_access = // confine no access IP,Host,Network

posted on 2011-09-25 02:16 andly96 阅读(675) 评论(0) 收藏举报